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'^q June 2013 



(U) It is hereby agreed by (he Accused, Defense Counsel, and Trial Counsel, that if Ms, 
Cathryn Strobl were present to testify during the merits and pre-sentencing phases of this court- 
martial, she would testify substantially as follows; 

1. (U) I am currently employed as a contractor with the Central Intelligence Agency (CIA). I 
am a software developer and I worked on the contract for the CIA's World Intelligence Review 
(WIRe) and its predecessor program from approximately 2005 through 2012. At present, I work 
as a software developer for another disseminated intelligence program. I hold a Bachelor's 
degree in Spanish from the University of Mary Washington, a Juris Doctor from the University 
of North Carolina at Chapel Hill, a Master's of Business Administration from the University of 
North Carolina al Greensboro, and a Computer Science Certificate from North Carolina Slate 
University. 1 have been working in the information technology field since 1 997, when I began 
working in database administration at University of North Carolina Hospitals. Since that time, I 
have participated in working in multiple training courses specific to database administration, web 
development, and system administration, including training geared towards the tools used to 
develop, administer, and maintain an enterprise application. 

2. (U) WIRe is a website controlled by the CIA, and located on the SIPRNET that allows a user, 
once authenticated, to conduct searches of various files created by the CIA and other 
organizations. That authentication is performed by means of an Intelink Passport user account. 
To apply for an Intelink Passport account a user has to enter their persona! information on the 
Intelink site on SIPRNET, 

3. (U) In approximately May 2010, 1 was asked to pull any user information for Bradley 
Manning as well audit logs for the date range October 2009 to May 2010 from the sending IP 
addresses of 22,225.41.22 and 22.225.41.40. At that time, an Intelink Passport account was 
required in order to access all information on the WIRe, except for leadership profiles. Under 
certain circumstances, if a user clicked on a leadership profile, the user id would not be logged. 
When the user id was logged, the WIRe system created numerous types of logs. In this case, I 
pulled all three types of logs: production logs, http logs, and SQL logs. The logs represent the 
same information, but they do so with different data in different formats. The application logs 
show requests at the application level. The http logs show all requests going in and out of Ihe 
web server. The SQL logs show the titles of the documents with their document numbers as 
reflected in the database. The SQL logs correspond with the http logs in that they show the 
actual name of the document numbers recorded in the http logs. 1 pulled these three logs to paint 
a fliller picture of the activity. 
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4. (U) I pulled these logs by writing queries and running those queries. I applied SQL queries to 
the database and UNIX commands to the web and application logs. SQL is a structural query 
language for interacting with databases. In other words, it is a tool used to perform inquires and 
pull data from a database. In order to accomplish the SQL query, I went to the command prompt 
screen, typed in the query, hit enter, and the computer generated the logs. The SQL queries I 
used pulled the logs and put them into a text output. I then saved the logs as well as the SQL 
query I used to pull those logs. UNIX in an operating system that comes in several variants, 
often called "flavors." For purposes of the queries described below, I used the "flavor" Solaris. 
To execute commands to cull the web and application logs on Solaris, I drafted and typed into a 
command prompt queries that contained the specific user id, IP addresses, and dates I was asked 
to review. In response to these queries, Solaris generated logs of user activity. These logs are 
identified using the original log name plus the suffix ".culled," as see below. In sum, by these 
queries, I asked the system to pull the pertinent audit events by the user "bradley.e. manning" 
and/or the IP addresses 22.225,41 .22 and 22.225,41 .40 and/or the time date group of October 
2009 to May 2010. 

5. (U) I pulied the HTTP logs, which log all activity going in and out of the web server, by IP 
address and time and date group. Specifically, I pulled the HTTP logs for the IP addresses 
22.225.4 1 .22 and 22.225.41 .40 between October 2009 and May 2010. The results are contained 
in the following files: 

ciawirc-production.httpd,log,2010-02-20,culled 
ciawire-production.httpdJog.20 1 0-02-2 1 .culled 
ciawire-production.httpd.log,20 1 0-02-23. culled 
ciawire-production.httpdJog.20l0-02-24.cuIled 
ciawirc-production.httpd.log.20 1 0-02-25 .culled 
ciawire-prodiiclion.httpdJog.20 1 0-02-27,culled 
ciawire-production.httpd.Iog.20 1 0-03-01. culled 
ciawire-production.httpd.iog.20 1 0-03-02.culied 
ciawire-production.httpd.log.20 1 0-03-04.culled 
ciawire-production.httpd.iog.20 1 0-03-08.culled 
ciawire-prodiiction.httpd.log.20 1 0-03-09.cuIled 
ciawirc-prodiiction.httpd.iog.20 1 0-03- 1 1 .culled 
ciawire-production.httpd.log.201 0-03- 12, culled 
ciawire-production.httpd.log.20 1 0-03- 1 5. culled 
ciawire-production.httpd.log.20 1 0-03-1 9.cu I led 
ciawirc-production.httpd.log.2010-03-20.culled 
ciawire-production.httpd.log.20 10-03-21. culled 
ciawire-production.httpd.log.2010-03-22.culled 
ciawire-production.httpd.log.20 1 0-03-23.culled 
ciawire-production.httpd.log.2010-03-24.culled 
ciawire-production.httpdjog.20 1 0-03-25.culled 
ciawire-production,httpdJog.20I0-03-27,culled 
ciawire-production,hltpdJog,2010-03-28,cuHed 
ciawiFe-production.httpdJog,20 10-03-29. culled 
ciawire-production.httpd.log.2010-03-30.cullcd 
ciawire-production.httpdJog.2010-04~03.cuIled 
ciawire-production.httpd.log.20 1 0-04-0 8. culled 
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ciawire-production.httpd.log.2010-04-*27.culled 
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a. (U)The entry "22.225. 4 1. 22" is the sending IP address. This address indicates the IP 
address of the computer that is requesting the information, 

b. (U) The entry "bradley.e.manning" is the user name assigned to the Inteiink Passport 
account that is requesting the information. This Inteiink user account is associated with the 
common name "Manning, Bradley E." 

c. (U) The entry "2 l/Mar/20 1 0:05:39:53 -0400" is the time and date group, which is given in 
Greenwich Mean Time (GMT). The time and date group records when the computer processes 
the request from the sending IP address. 



d. 




f. (U) The entry "%20" means that a space is there. 



g. (U) The entry "200" is a code that states that the user's request to "GET" and access the 
document was successful. 

h. (U) Based on the log information, I can tell someone downloaded the .pdf because a 
document number follows the "GET" request. A document number indicates that the user 
opened the document. Additionally, if the user has downloaded the document, then the log will 
say /document/docnum/attachment/pdf name. 

i. (U) The entry "45266" indicates the size of the user's request. 
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k. (U) The entry "MoziIIa/5.0" tells me that the user of the .22 IP address was using version 5 
of the Mozilla browser. 

1. (U) The entry "(Windows; U; Windows NT 5. 1 ; en-US; rv: 1 .9.0. 1 0)" means that a 
Windows NT workstation was being used by the user of 22.225.41 .22 computer. 

m. (U) The entry "Gecko/20090423 1 6 Firefox/3.0. 1 0\" tells me that the 22.225.41 .22 system 
was using the Firefox browser. 

^ 1 

7. (U) I pulled the production logs, which log all activity going in and out of the application, by 
IP address. Specifically, I pulled the production logs for the IP addresses 22.225.41 .22 and 
22.225.41 .40 between October 2009 and May 2010. I obtained results from 20 February 2010 to 
27 April 2010. The results are contained in the following files: 



production.log,20I0Q303.cuIled (various dates between 20-Feb-10 and 2-Mar-IO) 
production. log.20100401. culled (various dates between 4-Mar-10 and 30-Mar-IO) 
production. Iog.201 0061 S .culled (various dates between 3-Apr-10 and 27-Apr-I0) 

a. (U) The entry "22.225,41 .22" is the sending IP address. This address indicates the IP 
address of the computer that is requesting the information. 

b. (U) The entry "2010-03-21 05:39:53" is the time and date group. The time and date group 
records when the computer processes the request from the sending IP address. 



c. 
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I The entry "200" is a code that states that the user's request to "GET" and access the 
document was successful. The "OK" indicates the same information as the 200, that the 
document with identification number ^^^ISJliHS downloaded to the 22.225.41 .22 IP 
address. 




i. (U) Based on the log information, I can tell someone downloaded the .pdf because a 
document number follows the "GET" request. A document number indicates that the user 
opened the document. Additionally, if the user has downloaded the document, then the log will 
say /document/docinim/attachment/pdf name. 

9. (U) I also conducted database queries to pull other information and to pull information sorted 
in different ways. Again, I wrote a variety of SQL queries to do this. The results are contained 
in the following files: 



sql_document__v iews. I st 

sql_document_views documents earliest.Ist 

sql_documents.lst 

sql_dvs_documents_users. 1st 

sql_ searches Jst 

sqlusers.lst 



1 0. (U) The query "sql^users.Ist" is the result of the SQL command that I wrote to pull the 
Intelink Passport Account information for the user with the first name "Bradley" and the last 
name "Manning." The information the query produced revealed that the user with the Passport 
Identification "brad ley .e.maiining" had his organization listed as "USA"; his "Employee Type" 
as "Military"; and his "Rank" as "E-4." His registered email address was 
bradley.manning@us.army.smil.mil. His identification number was "3 1 169." 

1 1 , (U) To assist in, among other things, determining the names of the product numbers that 
were viewed and downloaded, I wrote a SQL query to pull the names of the products viewed by 
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the user with the identification number "31 169". I got the identification number from the query I 
conducted in "sql_users.Ist" to limit to search to only pull the documents viewed by the user of 
the Intclink Passport Account with the user name "bradley.e.manning." I saved that query as 
"sqljjocuments.Ist." I wrote another SQL command to just limit the query of "3 1 169" to 
document numbers and times, which is saved as "sql_document_views.lst /* I also wrote a SQL 
command to pull the document names in order of earliest viewed, which I saved as 
"sq^document^views documents earliest.Ist". "Sql_dvs_documents_users" has all the views 
by user "3 1 169" saved in the order the user viewed them. 
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c. (U) The classification of the title is "C//NF." 

e. (U) The classification of the memorandum is "SECRBT//NOFORN." 

13. (U) The information I provided is computer generated and only limited people have access 
to the information. I have no reason to believe that the information I provided was not accurate. 
On 1 9 June 20 1 2, 1 attested to the authenticity of the CI A Wire log files, containing the above 
listed logs and queries, The attestation is BATES numbers: 00449441-00449441. Prosecution 
Exhibit tSUfoi' Identification is the logs. 



//ORIGINAL SIGNED// 
ANGEL M. OVERGAARD 
CPT, JA 

Assistant Trial Counsel 



//ORIGINAL SIGNED// 
THOMAS HURLEY 
MAJ, JA 
Defense Counsel 



//ORIGINAL SIGNED// 
BRADLEY E. MANNING 
PFC, USA 
Accused 
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